Detect SQL Injection

Question

I came to a company that already has a fully grown project... but coders that worked here before me didn't follow conventions and didn't use parametrized SQL queries... as a result there is over 1000 places in a very huge project that can possibly be vulnerable to SQL injection...

I need to find a solution that will automatically detect if there is an SQL injection in the code. So, for example there is a form which allows user to enter comments regarding a product, which will be sent to database on submit... how can we make sure that a user didn't enter a harmfull query instead of a normal text?

Is there any advanced code/regular expression/magic that can detect if this text contains a piece of SQL query instead of normal harmless text? I will accept any links, pieces of code in any language or even commercial software that will do that for me.

Thank you

Answer 1

There is no silver bullet here. SQL injections can come in many obscured forms and trying to detect them using regular expressions or another form in your firewall, or application can protect you from the most simple forms of SQL injection, but an experienced hacker will simply get through. As AdaTheDev already noted, automated tools that inspect your code, such as the MS Code Analysis Tool, might give you a kick start, but again there is no silver bullet. You will need to go through your whole application.

When this is a lot of work, you should make a plan. First of all, make a guideline that states how these types of attacks can be mitigated. Also try to divide your application in parts, from very critical to less critical. This way you can better estimate the costs of repairing the bugs and can let management decide what it may cost and thus what risk they are willing to take. Parts of your application that unauthenticated users can access are most critical. If everybody (in the world) can create an account in your application, all functionality that these users can access is highly critical. The smaller the population and the more you trust those users, the smaller the risk. You perhaps can get away with fixing these parts later. But never underestimate a good hacker. He/she might be able to compromise the account of a user with high privilege and start testing for SQL injection possibilities using that account.

Always try to have a defense in depth strategy, have multiple (or many) layers of defence. For instance, do never connect with your database as SA from within your application. Create an account with just the privileges that are needed and perhaps even create multiple SQL accounts, one account per role (or per a group of roles). While restricting the privileges to the database help a lot in mitigating the risk, again, don't bet on it as a single layer of defense. This article for instance, explains how a hacker can abuse a lower privilege account when she's able to do SQL injection.

It is admirable that you ask this question here, because I’ve seen many developers in the past who just don’t want to know, which is very scary, because the business often trusts its developers (which is scary as well).

I wish you the best of luck.